Monday, May 3, 2010

Last fall I put together a LiveCD to support Wes Brown's Malware Analysis Workshop at Hack in the Box Malaysia 2009 using Debian, a lot of bailing wire, and some duct tape. The disc has attracted some attention, especially at B-Sides, but is not distributable for several reasons:

It is a sealed box; any updates you make disappear when someone pushes the pretty red button.

It requires a Windows Virtual Machine; no, we cannot give you ours.

If Debian Stable did not like your video card, neither did our LiveCD.

Ditto for your network card. Well, triple for your network card. Who in the audience did not bring a 3c905-TX NIC, please raise your hands?

The latest Ubuntu release, Lucid Lynx, fixes the last two problems. That is a big deal for me, as the lack of good NVidia and ATI support was a problem for me as well as some participants. Ubuntu's LiveCD seems to do the right thing, which is great news for me. The second problem is a big one, and comes down to a need to document the work required for building a virtual machine that can be instrumented by our tools. And, like any large and boring problem, I am going to ignore it.

But, I think the first one will be fun to solve. It starts with stealing a page from WaspVM and MOSREF and building a metacircular environment. The Malware Analysis Environment should be able to serialize itself to either an ISO9660 filesystem or a USB flash drive as needed, and boot from either of those two source. It should also be able to "checkpoint" changes to the filesystem and load them up as overlays -- a trick borrowed from my customizations of Finnix which never saw the light of day.

Combine those two tools, and it should be possible for analysts using MalNet to customize their environment, install the One True Editor, or even download updates. Maybe, if I'm really lucky, I can even factor myself out of the day to day maintenance. More time to start new pet projects is always good.

So far, I have converting from a CDROM or ISO filesystem to USB figured out and working nicely. Converting backwards should follow soon behind -- this is just flopping between syslinux and isolinux using either block devices or loop mounted files. Next up is figuring out how to trick Casper into checkpointing to the boot drive or committing the time to actually writing a serialize-to-squashfs script of my own.